VMWARE / VDI malware Protection Symantec, Trend and Mcafee

Symantec Endpoint Protection still has no Agentless Virus scan version like Trend or Mcafee with Move. Those use VSHIELD API from VMware and need no direct Software running in the VM. (http://www.vmware.com/pdf/vshield_55_admin.pdf)

BUT test have shown that even with the Agent in the VM/VDI Symantec SEP 12.X is faster in daily tracking, stable status, scanning but only slow if the machine does Virus pattern updates once a day.

Keep in mind that most virus producers only update the main definitions once a day (mcafee 17:00 CET) and the rest is GTI/0-day releases on all three.

So even with the Agent in VDI machines you over the thumb get more or even performance.

Also keep in mind that Virus API like the one from Microsoft has been sources for a lot of trouble, false events and fights the last few years. You can decide if you want that between:

  1. your antivirus producer and MS


  2. Between your antivirus producer and VMWARE

To mention on that part would be a solution with Hypervisor which mixes up things again.

The problem in general may be not so actual since Netapp and all the new companies who come out with Flash/SSD Storage try to solve it on the other side.

Gartner Magic Quadrant


Mentioned products in terms of VM in those articles:


McAfee's Management for Optimized Virtual Environments (MOVE) has offered optimized anti-malware scanning in virtualized environments for two years, and now MOVE 2.5 offers agentless anti-malware scanning in VMware environments using native vShield API integration.


Symantec does not yet offer an "agentless" version for optimizing anti-malware scanning in virtualized environments (although its shared Insight cache feature can be used to improve performance).

2012 Symantec SEP 12.1 and Mcafee MOVE under VMware 5.X


2012 Symantec SEP 12.1 and Trend


Back in 2011 Trend was faster

2011 Symantec SEP 11, Trend and Mcafee



APP-V: Debug App-V Environment from package


On an APP-V Client crate a shortcut to the Desktop of the Existing APP-V Application you would like to debug.


Open the Properties of the Shortcut change the TARGET as marked and include

/EXE cmd.exe





Existing Target:

"C:\Program Files\Microsoft Application Virtualization Client\sfttray.exe" /launch "LeechFTP"

New Target for Command line Box (Changes red)

"C:\Program Files\Microsoft Application Virtualization Client\sfttray.exe" /exe cmd.exe /launch "LeechFTP"

If you open that Link now you are inside the Bubble and are able to check code, Path or Registry Keys.




Here is how to CHECK what may be wrong inside the BUBBLE.

Download and copy PROCMON.EXE PROCEXP.EXE from Technet/Microsoft/Systernals.



If you WANT to DEBUG as Domain user without special rights (Why is it slow as USER and not as Administrator)

you may have to RUN procmon.exe with RUNAS. be sure to use /NONPROFILE otherwise the MON will see diffrent data.

 Exclude the PROCESS you don't need. You SEE WANT TO see like vmware, virus protection, winlogon, windows services etc.



You want to check the Virtuell EXE itself:

Example: GIMP-2.6.exe


Also check the APP'V process itself:



If the TRY to write files/open files or change Files on the Q: Drive that they may not have access as the Logged on user.

If you FOUND the file which the PROCESS has no Change permission OPEN the APPV package

Example FILE made problems: users30.mpm

Change the Sequencer File type from "Application Data" to "user data" and REDO the package

Microsoft APPV package Recipe for Irfanview 4.x

16.05.2013, Version 4.3X, Sequence Irfanview for Windows 7 64BIT

  1. Download all Binaries from the Website www.irfanview.com
  2. Download the Plugins you want
  3. Download the Language files you want

Start sequencing on your clean machine.

  1. Install Irfanview to the Path q:\irfan.001
  2. Copy over the Plugins and the language Files to the correct paths

Place the language files in:

Place the plugins in:

Path used:


Path for Plugins:

Q:\irfan.001\Irfanview\plugins (Copy the Plugin .DLL into this path)

Without Registering the DLL's the package will run as "Local Admin" or "Domain Admin" but NOT as regular user. As example if you open a Postscript EPS

File or press the button under Options / Plugins you may receive an error. To prevent this do following command during sequencing and also press the mentioned Plugins buttons

In "Picture 2 below" once to make sure the Software does load all components. . Please adapt your package path (irfan.001)


regsvr32.exe /s Q:\irfan.001\Plugins\8BF_Filters.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ansi2Unicode.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Awd.dll

regsvr32.exe /s Q:\irfan.001\Plugins\B3d.dll

regsvr32.exe /s Q:\irfan.001\Plugins\BabaCAD4Image.dll

regsvr32.exe /s Q:\irfan.001\Plugins\CADImage.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Crw.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Dicom.dll

regsvr32.exe /s Q:\irfan.001\Plugins\DjVu.dll

regsvr32.exe /s Q:\irfan.001\Plugins\EAFSH.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ecw.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Effects.dll

regsvr32.exe /s Q:\irfan.001\Plugins\EMail.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Exif.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Exr.dll

regsvr32.exe /s Q:\irfan.001\Plugins\FFactory.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Flash.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Flash4.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Formats.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Fpx.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ftp.dll

regsvr32.exe /s Q:\irfan.001\Plugins\FUNLTDIV.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Hdp.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ics.dll

regsvr32.exe /s Q:\irfan.001\Plugins\ImPDF.dll

regsvr32.exe /s Q:\irfan.001\Plugins\IPTC.dll

regsvr32.exe /s Q:\irfan.001\Plugins\JPEG2000.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Jpg_transform.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Jpm.dll

regsvr32.exe /s Q:\irfan.001\Plugins\KDC120.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Lcms.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ldf.dll

regsvr32.exe /s Q:\irfan.001\Plugins\LogoManager.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Lwf.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Med.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mng.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mp3.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mpg.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mrc.dll

regsvr32.exe /s Q:\irfan.001\Plugins\MrSID.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Nero.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Paint.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Photocd.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Pngout.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Postscript.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Quicktime.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ra_player.dll

regsvr32.exe /s Q:\irfan.001\Plugins\RegionCapture.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Sff.dll

regsvr32.exe /s Q:\irfan.001\Plugins\SoundPlayer.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Video.dll


Also there comes « add-ware » starting with version 4.3 ? Google Toolbar and chrome. The author prevents the popups until some date. Here is how to get rid of it:


[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Chrome Offer Until]

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Toolbar Offer Until]


Change that value to some date in the future like from "20130914" to "20200101" (Year 2020)


Picture 2

Also During Sequencing press these buttons below once. See if it working as it should:



APPV How to call a script/batch FROM within the APPV bubble

Insert following Text as example into the Filename.OSD to run a script from wtihin the APPV package


      <SCRIPTBODY>@call \\\\apv01\\scripts$\\pabs\\check.cmd \n </SCRIPTBODY>
      <SCRIPTBODY>if exist "C:\Program Files (x86)\Pabsnet\pabs.exe" (exit 0) else exit 1 </SCRIPTBODY>



APPV: Hot to identify Microsoft office 2010 deployment kit for appv

How to identify Microsoft office 2010 deployment kit for appv. This is useful if you have APPV Packages for Visio or Project.

Before you can run those you need to pre-install Microsoft office 2010 deployment kit for appv with Software Deployment.

The APPV packages should not show up before the basis software is installed.


Here are some flags to check from the MSI package: OffVirt.msi, Version: 14.0.4763.1000